This rule is designed to detect unauthorized remote command execution via the ScreenConnect remote management tool on Windows systems. It identifies when a command is executed using the command-line interface (cmd.exe) under the ScreenConnect client service process. Specifically, the detection mechanism looks for specific characteristics in the command line arguments, which include references to temporary ScreenConnect directories, and checks if the parent process is ScreenConnect.ClientService.exe. Given that ScreenConnect can be used legitimately, this rule may generate false positives, particularly in environments where this tool is frequently leveraged for remote support. Therefore, organizations should consider their usage patterns before implementing this rule. For accuracy, the rule requires the presence of process creation logs from Windows systems, ensuring a reliable detection process. The underlying threat being mitigated conforms to the MITRE ATT&CK framework, specifically addressing execution vulnerabilities associated with remote access tools.